The opinions expressed in this blog are my own and do not represent those of my current employer

Virtualization can be utilized to reach various goals as monitoring system, system resources and applications as well. It can be used for full system virtualuzation, but i like apporach using it just as a tool too . This post will shortly cover implementation of mini-hypervisor (which is now available on github) for intel vt-x on x64 platform, and demonstrate concept how-to-use-it.

In this post i will take a look at PatchGuard, at classic scenario of bypassing this protection and also at little bit diferent one. I will also examine new way (bust most probably not new, just reinvented cause it is too obvious and quite efective) how to locate & abuse page guard context and its behaviour.

1

2

3

4

5

6

7

8

9

10

11

12

typedefstruct_KDPC

{

UCHAR Type;

UCHAR Importance;

volatile USHORT Number;

LIST_ENTRY DpcListEntry;

PKDEFERRED_ROUTINE DeferredRoutine;

PVOID DeferredContext;

PVOID SystemArgument1;

PVOID SystemArgument2;

__volatile PVOID DpcData;

}KDPC,*PKDPC,*PRKDPC;

PoC and some explanation of code, of its weaknes and points to research are included